You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Only allow alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces
50
-
if ! echo "$packages" | grep -E '^[a-zA-Z0-9._+-]+( [a-zA-Z0-9._+-]+)*$' > /dev/null; then
51
-
echo "::error::Invalid package names in extra-install-packages. Only alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces are allowed."
52
-
exit 1
53
-
fi
46
+
# Validate against Debian package naming rules: must start with alphanumeric,
47
+
# contain only lowercase letters, digits, hyphens, plus signs, periods
48
+
# Package names cannot start with hyphen or period, and must be reasonable length
49
+
foreach ($pkg in $env:EXTRA_INSTALL_PACKAGES -split '\s+') {
50
+
if ($pkg -notmatch '^[a-z0-9][a-z0-9.+-]{0,100}$') {
51
+
Write-Host "::error::Invalid package name '$pkg'. Debian packages must start with lowercase letter or digit and contain only lowercase letters, digits, hyphens, periods, and plus signs."
52
+
exit 1
53
+
}
54
+
}
54
55
55
56
# Using a pre-built docker image in GitHub container registry instead of NPM to reduce possible attack vectors.
0 commit comments